Re: [squid-users] Working ACLs for SSL Accel in 2.5pre10?

From: Henrik Nordstrom <[email protected]>
Date: Wed, 21 Aug 2002 02:37:24 +0200

You are correct in that Squid-2.5 reconstructs both as http://... URLs
internally, but you should be able to use the my_port directive to
differente the requests from each other based on which port the request
was accepted on.

If you want to have https_port reconstruct the URLs into https:// URLs
then some changes will be needed to the code. See also the rproxy branch
at sourceforge. But keep in mind that you then MUST use a redirector to
rewrite the https:// URLs into http:// before being forwarded by Squid.

Regards
Henrik

sean.upton@uniontrib.com wrote:
>
> I have an HTTP accelerator I would like to do SSL with. I have been playing
> around with SSL acell in 2.5pre10, and I seem to like it so far. I'm a bit
> baffled about how one might go about setting up ACLs to prevent a particular
> URL from being accessed through port 80, but ok via SSL...
>
> For example, given URLs like this:
> http://cmanager/foo
> https://cmanager/foo
>
> The redirector I'm running takes anything going to ^http://cmanager/ and
> sends it to a backend http server on port 80... the first in the above list
> would ideally be rejected, and the second allowed, but I can't seem to set
> up an ACL that would do this.
>
> For example, the following does not work, because https access is blocked as
> well as http:
> acl cmanager url_regex -i cmanager
> acl SSLUrls url_regex ^https
> http_access deny !SSLUrls cmanager
> I've also tried:
> http_access deny !SSL_ports cmanager
> That doesn't work either.
>
> I suspect that the SSL accel machinery makes squid's acl machinery handle
> the URL like a normal http URL, since my redirector rule (that works) is
> passed an HTTP URL by squid even on an HTTPS access.
>
> Any thoughts on how/if this can be done with the current state of SSL accel
> support?
>
> Sean
>
> +-----------------------------------------------------------
> | Sean Upton
> | Site Technology Supervisor SignOnSanDiego.com
> | Development & Integration The San Diego Union-Tribune
> | 619.718.5241 sean.upton@uniontrib.com
> | PATH_TO_THE_DARK_SIDE = 'c:\winnt\system32'
> +-----------------------------------------------------------
Received on Tue Aug 20 2002 - 18:34:41 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:45 MST